|
| 1 | +name: Daily Secrets Detection |
| 2 | + |
| 3 | +on: |
| 4 | + schedule: |
| 5 | + # Run daily at 9:00 AM UTC |
| 6 | + - cron: '0 9 * * *' |
| 7 | + workflow_dispatch: # Allow manual triggering |
| 8 | + |
| 9 | +permissions: |
| 10 | + contents: read |
| 11 | + id-token: write # Required for SLSA attestation |
| 12 | + |
| 13 | +jobs: |
| 14 | + onboard_workflow: |
| 15 | + name: Onboard Chainloop Workflow |
| 16 | + uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11 |
| 17 | + with: |
| 18 | + project: "chainloop" |
| 19 | + workflow_name: "daily-secrets-detection" |
| 20 | + secrets: |
| 21 | + api_token: ${{ secrets.CHAINLOOP_TOKEN }} |
| 22 | + |
| 23 | + daily-secrets-scan: |
| 24 | + name: Daily Secrets Scan |
| 25 | + needs: onboard_workflow |
| 26 | + runs-on: ubuntu-latest |
| 27 | + env: |
| 28 | + CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} |
| 29 | + CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }} |
| 30 | + CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }} |
| 31 | + |
| 32 | + steps: |
| 33 | + - uses: actions/checkout@v4 |
| 34 | + |
| 35 | + - name: Install Chainloop |
| 36 | + run: | |
| 37 | + curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --ee |
| 38 | +
|
| 39 | + - name: Initialize Attestation |
| 40 | + run: | |
| 41 | + chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} |
| 42 | +
|
| 43 | + - name: Install Gitleaks |
| 44 | + run: | |
| 45 | + wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz |
| 46 | + mkdir -p /tmp/gitleaks-install |
| 47 | + tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install |
| 48 | + sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/ |
| 49 | + rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz |
| 50 | + gitleaks version |
| 51 | +
|
| 52 | + - name: Run Gitleaks Scan |
| 53 | + run: | |
| 54 | + gitleaks dir . \ |
| 55 | + --report-format json \ |
| 56 | + --report-path gitleaks-report.json \ |
| 57 | + --config .github/workflows/utils/.gitleaks.toml \ |
| 58 | + || true |
| 59 | +
|
| 60 | + - name: Add Gitleaks Report to Attestation |
| 61 | + run: | |
| 62 | + chainloop attestation add \ |
| 63 | + --name gitleaks-scan \ |
| 64 | + --value gitleaks-report.json \ |
| 65 | + --kind GITLEAKS_JSON |
| 66 | +
|
| 67 | + - name: Finish and Push Attestation |
| 68 | + if: ${{ success() }} |
| 69 | + run: | |
| 70 | + chainloop attestation push |
| 71 | +
|
| 72 | + - name: Mark attestation as failed |
| 73 | + if: ${{ failure() }} |
| 74 | + run: | |
| 75 | + chainloop attestation reset |
| 76 | +
|
| 77 | + - name: Mark attestation as cancelled |
| 78 | + if: ${{ cancelled() }} |
| 79 | + run: | |
| 80 | + chainloop attestation reset --trigger cancellation |
0 commit comments